Mar 12, 2011

Breaking In Windows XP Password

Method 1:

If you have an administrator account (Not Guest)

then the XP users’ passwords can be reset using command prompt.

Go to the task-bar and click on the Start button, then click on run and in the place given on dialog box type “command”, press enter.

Now In the Command prompt type “net user”
the screen will display the list of users available on machine

suppose there are three administrator users with the name of admin1, admin2 and admin3

then the password of any user can be changed by logging into the account of any one administrator

for example if we want to change the password of admin1

then we can change it from the following command

net user admin1 password

similarly for other desired users

The general syntax is for changing password is

net user

Limitations: The above method will only work if you are logged in as the administrator user.

Method 2:

Windows Recovery option,

Boot from the Windows XP CD and press enter when you are prompted to Install Windows copy, on the next screen there is a repair existing Windows version. This method is also known as windows recovery method,

The repair option will take as much time as the installation would have taken because the Windows file-system is replaced including the SAM file where the password is stored.


whereas the users’ setting remain untouched.

Thus the users’ password is reset to NULL value.

#In repair mode you have another hole to modify the password.It is easier.The steps are as following.

Boot from xp bootable.After license agreement is done(pressing f8) select the target window for repair.

After file copy completed machine will restart.And repair process will start.You will see ‘installing devices’ 39 minutes left etc. at bottom left of your screen.

Now press Shift+f10.A console(command window) will open.

type nusrmgr.cpl and hit enter.This will let you to enter in the user account setting.Now change the password.You will not be asked for old password. Just type the new password there.

Continue the repair process.It is strongly recommended that you continue the repair until it is completed.

You are done, the password is replaced.The password strength does not matter in this case.

Method 3:

Boot your computer from a live Linux CD or DVD which has an NTFS/HPFS file-system support.

Then Mount the drive which has Windows copy installed on it. Copy the sam file on the location


Which will be mentioned as /media/disk-1/Windows/System32/config/sam

It is a common misconception that sam file can be viewed through normal text editor, sam file isnt a normal text file.

Gnome, KDE or vim text Editors won’t display the content of this file

Open the file using Emacs Editor (available in nearly all the distributions of Live Linux). It will be hard to find the the password hashes, so go for the user-names which are not encrypted, just after the user-names passwords’ hashes can be found out, copy the code between “%” sign and on the the Google search for the rainbow tables, They will provide the decrypted value which have already been brute-forced earlier. This is isn’t a sure shot method, as the rainbow project is still under development. The password can be set to NULL by deleting the content, but this might result in the corruption of the sam file, and recovery is the only option left after it.

Limitations: This Method can corrupt your SAM file, which may lead to a repair of Windows XP, and you can risk your personal data with that.

Method 4:

OPHcrack method.

This is a sure shot password recovery method based upon bruteforcing.

This Live CD is based upon the slax LiveCD v.5.1.7. It has been customized to include ophcrack 2.3.3 and the SSTIC04-10k tables set. It is able to crack 99.9%% of alphanumeric passwords. Since the tables have to be loaded into memory, cracking time varies with the amount of available RAM. The minimum amount of RAM required is 256MB (because the LiveCD uses a lot of it). The recommended amount is 512MB. Ophcrack will auto-detect the amout of free memory and adapts its behaviour to be able to preload all the tables it can.

A shell script launched at the beginning of the X session(Session for managing your desktop) does the job of finding the Windows partition and starting appropriate programs to extract and crack password hashes. It will look for all partitions that contains hashes. If more than one are found, you will have to choose between them.

If your partition is not detected, make sure your the partition containing the hashes you want to crack is mounted and the use ophcrack ‘Load from encrypted SAM’ function to recover your Windows hashes. Then click ‘Launch’ and the cracking process will start.

1 comment:

  1. I have got Password Recovery Bundle and it also can reset my forgotten Windows password.